codecov-python icon indicating copy to clipboard operation
codecov-python copied to clipboard

Published 20 hours ago verified publisher icon codecov

How to prevent the need for token for public projects (jenkins)

Open halkeye opened this issue 8 years ago • 11 comments

Reading over https://github.com/codecov/codecov-python/blob/master/codecov/init.py it looks like to me the only reason you need to provide --token= for jenkins and not travis, is because job is set for travis?

Why isn't job set to something (BUILD_NUMBER, or timestamp) for jenkins?

That way token wouldn't be required for public projects.

halkeye avatar Jul 27 '16 06:07 halkeye

@halkeye it is more than just the job number. We tap TravisCI API to validate build params to ensure the upload is authentic.

If the CI provider has an API endpoint we can not require the token, but until then we must include the token for authentication.

stevepeak avatar Jul 27 '16 12:07 stevepeak

Jenkins has a built in api that you can get access from a run

What data do you need?

On Jul 27, 2016 5:47 AM, "Steve Peak" [email protected] wrote:

@halkeye https://github.com/halkeye it is more than just the job number. We tap TravisCI API to validate build params to ensure the upload is authentic.

If the CI provider has an API endpoint we can not require the token, but until then we must include the token for authentication.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/codecov/codecov-python/issues/70#issuecomment-235574307, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGuB_ZRM1dcUi5OHgfknoZXcX8L9a9Pks5qZ1NvgaJpZM4JV3Wx .

halkeye avatar Jul 27 '16 13:07 halkeye

Is there documenation this API endpoint? That would be the most help 👍

stevepeak avatar Jul 27 '16 13:07 stevepeak

Okay I'll see what I can dig up the next time I'm at a computer

I know you can access it through the api link on the bottom of every page

Would be something like /jenkins/job/$build_name/$build_id/api

On Jul 27, 2016 6:23 AM, "Steve Peak" [email protected] wrote:

Is there documenation this API endpoint? That would be the most help 👍

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/codecov/codecov-python/issues/70#issuecomment-235583117, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGuBxWirGk4TOQo1pO6t-j0JhxXsNaSks5qZ1vOgaJpZM4JV3Wx .

halkeye avatar Jul 27 '16 13:07 halkeye

https://wiki.jenkins-ci.org/display/JENKINS/Remote+access+API

Has some info too

I don't think it's super documented though

It's also not hard to expose more info through a custom plugin if needed

On Jul 27, 2016 6:28 AM, "Gavin" [email protected] wrote:

Okay I'll see what I can dig up the next time I'm at a computer

I know you can access it through the api link on the bottom of every page

Would be something like /jenkins/job/$build_name/$build_id/api

On Jul 27, 2016 6:23 AM, "Steve Peak" [email protected] wrote:

Is there documenation this API endpoint? That would be the most help 👍

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/codecov/codecov-python/issues/70#issuecomment-235583117, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGuBxWirGk4TOQo1pO6t-j0JhxXsNaSks5qZ1vOgaJpZM4JV3Wx .

halkeye avatar Jul 27 '16 13:07 halkeye

I see posting builds, but not an endpoint for GET builds. I would guess it's simply at

curl -X GET JENKINS_URL/job/JOB_NAME/build/BUILD_NUM

There likely is an authorization token required to access this data.

Is there documentation on GET builds?

stevepeak avatar Jul 27 '16 17:07 stevepeak

I'm not super familiar with the rest apis, but I can ping the mailing list if need be

curl -X GET $BUILD_URL would prevent you needing to build the url yourself

HUDSON_COOKIE

HUDSON_SERVER_COOKIE

JENKINS_SERVER_COOKIE

I'm not sure how (yet) but those can be used during the request for authentication on hitting the urls

https://jenkins.ci.cloudbees.com/job/plugins/job/sauce-ondemand-plugin/338/api/json?pretty=true

^^ has a bunch of info.

On Wed, Jul 27, 2016 at 10:43 AM, Steve Peak [email protected] wrote:

I see posting builds, but not an endpoint for GET builds. I would guess it's simply at

curl -X GET JENKINS_URL/job/JOB_NAME/build/BUILD_NUM

There likely is an authorization token required to access this data.

Is there documentation on GET builds?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/codecov/codecov-python/issues/70#issuecomment-235663178, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGuB6RAERpCMXizzcBRJxX7gyVDXzmGks5qZ5jKgaJpZM4JV3Wx .

halkeye avatar Jul 27 '16 17:07 halkeye

Thanks for the details here. So the environment variables you stated would be used to authorize access to the BUILD_URL endpoint? ❤️ Love it!

How would I use the cookie if I'm making this api request server side?

stevepeak avatar Jul 27 '16 18:07 stevepeak

Oh I'm totally wrong, those cookies are just random strings for identification purposes.

I'm trying to figure out ways to run codecov tool in public without being able to provide token in a secret way.

If that means writing a helper plugin to expose more data I totally will.

halkeye avatar Jul 27 '16 22:07 halkeye

That would be great! Here are some ideas of the information we would like to verify in order to accept uploads:

  1. repository slug being tested owner/repo
  2. if the Jenkins build is still running
  3. commit sha being tested
  4. branch being tested

stevepeak avatar Jul 28 '16 13:07 stevepeak

Here is an example:

{
  "finished": false,
  "build_num": 145,
  "slug": "owner/repo",
  "commit": {
    "sha": "815be8d6e1af1c3449407cc6d085b550f14b907d",
    "branch": "master",
    "is_merge_commit": false
  }
}

stevepeak avatar Jul 28 '16 13:07 stevepeak